업무 특성 상, 실행파일(EXE, DLL 등...)의 디스어셈블 코드를 많이 보게 됩니다.

이번에 희안한(?) 걸 보게되서 간단히 포스팅 해봅니다...





어느 두 파일의 디스어셈블 코드인데요~

박스 친 부분의 명령어와 헥사 코드를 살펴보시기 바랍니다.

분명히 같은 어셈 명령어인데~ 헥사코드가 다릅니다...;;
( 예전부터 쭉 이래왔겠지만... 인지한 건 이번이 처음인지라...;;; )


지금까지는 당연한 것처럼~

스택 프레임이 형성된 함수의 시작코드는...

" 55, 8B, EC (PUSH EBP, MOV EBP, ESP) " 라고 생각해왔는데...

항상! 그렇지는 않은 모양입니다..;;;

틈나면 인텔 명령어 코드 한 번 뒤져봐야겠네요... ^^;;;;

Kernel Detective v1.4.1 이 나왔네요~ ^^;;

--------------------------------------------------------------------------------------------

Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result ... BSoD !

Kernel Detective gives you the ability to :
1- Detect Hidden Processes.
3- Detect Hidden Threads.
2- Detect Hidden DLLs.
3- Detect Hidden Handles.
4- Detect Hidden Driver.
5- Detect Hooked SSDT.
6- Detect Hooked Shadow SSDT.
7- Detect Hooked IDT.
8- Detect Kernel-mode code modifications and hooks.
9- Disassemble (Read/Write) Kernel-mode/User-mode memory.
10- Monitor debug output on your system.

What's new in v1.4.1 :
- Fixed possible BSOD when scanning processes
- Fixed bug in callbacks scanning
- Enhanced showing files properties and signature verifying
- Skeleton SDK for VS2008 included

What's new in v1.4.0 :
- Added plugins system
- Added support for windows server 2008, seven sp1
- Enhanced stability on NT 6.0+ (windows vista/seven)
- Improved driver scan
- Improved code hook scan
- Fixed bug prevent the tool from working on windows xp
- Fixed bug related to long paths
- Fixed bug in process/driver dumper
- Fixed bug in IDT scan

--------------------------------------------------------------------------------------------

출처 : AT4RE [ http://www.at4re.com ]

MUP 작업에 유용하게 사용되는(?) "Import REConstructor" 툴 새버전이 올라왔네요~

다음은 Tuts 4 You 에 올라온 내용입니다.

---------------------------------------------------------------------------------------
Features:

- Imports
- An original tree view
- 2 different methods to find original imports (by IAT and/or API calls)
- A *FULL* complete rebuilder (including a new fresh IAT)

- Loader
- An analyzer and ripper of redirected API code
- An injected loader code to support mix of imports + ripped code in a thunk
- A heuristic relocator

- Tracers
- 3 default tracers (disasm, hook & ring3) to find APIs in redirected code
- A plugin interface to develop your own tracers

- Misc
- Support ALL 32/64bits Windows (9x, ME, NT, 2k, XP and Vista32/64)
- An export renormalizer for Win9x/ME (ala Icedump)
- A built-in coloured disasm/hex-viewer to analyze the redirected code
- A built-in dumper
- Support almost all known antidump tricks
---------------------------------------------------------------------------------------

출처 : Tuts 4 You [ http://www.tuts4you.com ]